Listen to this Post
In a recent demonstration, Bobby Cooke and Dylan Tran showcased a method to bypass Windows Defender App Control using Loki C2, a Command and Control framework built entirely in JavaScript. This technique has proven effective against multiple security measures, raising significant concerns for Windows security administrators.
You Should Know:
To understand and potentially mitigate such attacks, here are some practical steps, commands, and codes related to the topic:
1. Understanding Windows Defender App Control:
- Windows Defender Application Control (WDAC) is a feature that restricts the execution of unauthorized scripts and executables.
- To view current WDAC policies, use the following PowerShell command:
Get-CimInstance -Namespace root/Microsoft/Windows/CI -ClassName PS_AppliedConfig
2. Analyzing Loki C2 Framework:
- Loki C2 is a JavaScript-based framework designed for stealthy command and control operations.
- To detect suspicious JavaScript execution, monitor the Windows Event Logs for unusual `powershell.exe` or `wscript.exe` activity:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -like "*JavaScript*" }
3. Strengthening WDAC Policies:
- Update WDAC policies to block unsigned scripts and executables. Use the following command to create a new policy:
New-CIPolicy -FilePath "C:\Policy.xml" -ScanPath "C:\Windows" -UserPEs
- Deploy the policy using:
ConvertFrom-CIPolicy -XmlFilePath "C:\Policy.xml" -BinaryFilePath "C:\Policy.bin"
4. Monitoring and Mitigation:
- Use Sysmon to monitor process creation and script execution. Example configuration:
<Sysmon schemaversion="4.90"> <EventFiltering> <ProcessCreate onmatch="include"> <Image condition="contains">powershell.exe</Image> <CommandLine condition="contains">-EncodedCommand</CommandLine> </ProcessCreate> </EventFiltering> </Sysmon>
- Deploy Sysmon with:
sysmon -accepteula -i sysmonconfig.xml
5. Endpoint Detection and Response (EDR):
- Ensure your EDR solution is configured to detect and block suspicious JavaScript execution. Regularly update detection rules.
What Undercode Say:
Bypassing Windows Defender App Control with tools like Loki C2 highlights the evolving sophistication of cyber threats. To defend against such attacks, organizations must adopt a multi-layered security approach, including robust application control policies, continuous monitoring, and regular updates to detection mechanisms. Leveraging tools like Sysmon and PowerShell for proactive defense can significantly enhance your security posture. Stay vigilant and keep your systems updated to mitigate emerging threats effectively.
For further reading, refer to the official Microsoft documentation on Windows Defender Application Control.
References:
Reported By: Bobby Cooke – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
